With all this discussion of passwords, there's some very important
points to be made:
-- Environments where passwords are required vary widely.
Some will have more computer-saavy users than others, but even
within those environments there will undoubtedly exist an element of
"duh". Read Computerworld's daily SharkTank for examples.
-- Passwords too complex for your users to *easily* remember defeat the
purpose of having the password.
If passwords are unnecessarily complex, the user will either
constantly forget them, causing reduced productivity at best, or write
them down, subjecting the password to theft. In HPUX using their
Trusted System option, the SAM program generates a 30 (*THIRTY*)
character password for new accounts. What's the point??? There's no
way to remember the jumble of characters that long and it's not easily
sent to the user electronically so it must be written down and is then
immediately subject to being stolen or just plain lost on the way back
to their desk or whatever.
-- If multiple passwords exist on multiple systems, give the user a
mechanism to change/expire all at once.
In my experience, users don't know (and shouldn't have to!) why
and how they have different accounts to do their different tasks.
Ideally, they should have one account with one (possibly two for extra
security) easy-to-remember password. If not, this will confuse many
users and make their life (and consequently, yours) more difficult.
So, what to do? Glad you asked! At a DECUS (now-defunct DEC User
group) meet back in '92, a chief security guy recommended these:
1) 30 day lifetime
2) Minimum length of 12 (eep!)
3) No reuse of passwords (keep password history)
4) Check password for dictionary and common variants (e.g. username)
5) Do not use system-generated passwords
6) Teach users to use an algorithm to generate passwords.
The last one is the kicker that makes the rest easy. The guy from DEC
said to take two of your favorite things, in his example, beer and Star
Trek. Combine elements of the two to get your password, for example,
"spockmiller". To meet system requirements and make the password
incredibly more difficult to crack or guess, duplicate letters and add
numbers: "miller23spockk". The password is now easy for the user to
rememeber, easy for them to think of new passwords every month, and
generally about as secure as passwords can get. Of course, I use my own
variant on the above as an added measure of security to help discourage
others that know this method from attempting to guess my password. :)
This solution is not generally one of server management, but of user
training. The first five items can be enforced. The last one is how to
make it easy (easier at least) for the user to abide by those rules in
order to help keep your data secure.
Not that I know how to implement any of this in Gentoo... :)
Thoughts, comments, questions? Holler!
Rich
--
[email protected] mailing list
